Biz & IT —

Now over (for the moment) Syria's blackout was carefully planned, with no leaks.

Syrian president Bashar Al-Assad's regime has cut the country's connection to the Internet, and has shut down much of the country's other telecommunications infrastructure as fighting continues near Damascus.

Share this story

Update: At 14:32 UTC (11:32 Eastern Time today), Syrian networks started to re-establish connections with the Internet. In an e-mail to Ars, CloudFlare CEO Matthew Prince said, that "beginning this morning we began to see the country's network come back online. We have confirmed that the BGP routes have been reestablished and we are seeing Web requests again to CloudFlare's network from both wired and mobile devices."

Just after noon Damascus time on Thursday, the government-owned Syrian Telecommunications Establishment essentially deleted the whole country from the Internet's routing tables, blocking all inbound and outbound network traffic. Rather than the result of terrorist attacks, as the government claimed on state television, the blackout was a well-rehearsed and deliberate act intended to deny connection to Syria's citizens and the opposition forces currently trying to topple the regime of President Bashar Al-Assad.

Five Syrian networks, identified by their IP address prefixes, were reachable over the network connections of Indian telecom provider Tata Communications until late Thursday. The Syrian government's previous network monitoring company, BGPMon, reported that the country was 100 percent offline by 1:45 AM Damascus time Friday morning, until 4:30 PM on December 1 when connections were restored. There were also reports of widespread landline and cellular phone service outages.

That didn't mean that there was no way for Syrian citizens to connect to the outside world. And the US State Department provided communications equipment to "dozens" of local councils in areas of Syria no longer under government control in order to bypass Syria's government-controlled networks.

But the Internet blackout in Syria was much more complete than the similar government-directed blocking of communications by former Egyptian president Hosni Mubarak's regime in January. That's probably because the Assad regime has been honing its network warfare skills for some time and preparing a plan for a complete network shutdown—staging two dress-rehearsals just in the last week.

Enlarge/ An Arbor Networks graphic showing the sudden drop-off in network traffic from Syria on Thursday as the country essentially erased itself from network routing tables.

Enlarge/ By comparison, the Egyptian government's Internet blackout in January still allowed some traffic to reach the Internet.

Creating a chokepoint

Syria has been moving toward consolidating its network traffic since the summer of this year, increasingly shifting its network routes as sanctions from the US and European Union blocked western telecommunications companies from continuing to do business with Syria. Since August, the Syrian Telecommunications Establishment has also tried to reduce its reliance on Ankara-based Turk Telecom as tensions have risen between the Turkish and Syrian governments.

Turk Telecom has still handled a very small percentage of Syria's traffic over its terrestrial cable link, but the vast majority of Syria's network routes were being handled via undersea cable links from Tartous, Syria to Lebanon and by Hong Kong based PCCW. "Almost all [of Syria's network traffic] was via PCCW delivered out of Europe," said Tom Paseka, a lead network engineer for CloudFlare, in an exchange of emails with Ars Technica. Tata Communications and Telecom Italia also continued to provide some small amount of network connectivity as well, though many of the IP addresses served by Tata were actually hosted outside of Syria.

That centralization of the nation's Internet traffic gave the Assad regime a much greater level of control over communications with the outside world. And it took place as the government—which already has used deep packet inspection technology to track citizens' use of the Internet—began to use its control over the national Internet infrastructure as a weapon. In May it was discovered that government agents were using servers in Damascus (hosted through Tata Communications) as part of an effort to install malware on dissident's computers to monitor their Internet activities.

In July, the Syrian Telecommunications Establishment changed routing tables, causing (either accidentally or deliberately) a 40-minute long nationwide Internet outage. But otherwise, Syria's Internet traffic remained relatively stable despite the violence and upheaval within the country—until this week, which began with two network blackouts lasting about 15 minutes each, according to traffic data from multiple content delivery networks and network monitoring companies.

On the first occasion—Sunday, November 25—network traffic from Syria dropped to about 13 percent of its normal levels, according to CloudFlare CEO Matthew Prince. The second outage, on November 27, resulted in an even more significant drop, with traffic reduced to 0.2 percent of its usual levels. These now appear to have been test runs to prepare for a full-blown shutdown of the country's Internet presence.

Enlarge/ Cloudflare's traffic analysis for Syrian IP addresses shows two brief interruptions of traffic earlier this week, on November 25 and 27.

Pulling the noose tight

At noon Damascus time on Thursday, the Syrian Telecommunications Establishment began another shutdown. First, the routing advertisements being sent for Syria's networks over the Border Gateway Protocol via PCCW were withdrawn, and then each of the other connections was shut down in succession. A CloudFlare network engineer recorded the changes in routing advertisements as they disappeared:

Syria disappears from routing maps as it shuts down its routers connecting to PCCW and others, as recorded by CloudFlare's logs.

When asked if there was any sign that Syria's routers updated the routing maps themselves or if they simply shut routers off, Paseka told Ars, "We are unable to tell as we are a few hops removed. All we can tell is the routes were withdrawn. It's likely they shut down the BGP neighbors"—the routers that were set to peer with each of the networks. In just a few moments, everything within Syria was cut off, including the government's own networks.

Since the shutdown, a number of organizations have been advertising phone numbers that Syrian citizens can dial with modems to connect to the Internet and circumvent the government's shutdown. The Electronic Frontier Foundation posted phone numbers for dial-up Internet access through the Internet collective Telecomix. And in a post to Google+, a Google spokesperson announced that the Speak2Tweet service the company created with Twitter during the Egyptian Internet blackout was available to Syrians lucky enough to still have landline or cellular phone service. The service turns voice mail messages left at one of Google's phone numbers into audio files hosted on Google and linked in a Twitter post.

But it appeared that few Syrian citizens had access to working landlines or cell phones to use any of these services. Furthermore, the Syrian government has already demonstrated that it tracks satellite communications. A British reporter and French photojournalist were killed in Homs in February after the Syrian military "'locked on' to their satellite phone signals and attacked the buildings from which they were coming," the Telegraph reported.

That means that citizens trying to circumvent the blackout—whether the government admits to it being under their control or not—may place themselves at even greater risk of surveillance and detection. As the pressure on the Assad regime builds, that risk may be more than most citizens—no matter what their status or wealth—are willing to take on.

Share this story

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat